SnakeYaml SafeConstructor

https://nvd.nist.gov/vuln/detail/CVE-2022-1471 has a NIST base score of "9.8 CRITICAL" and says:

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

SnakeYaml doesn't plan to release a SnakeYaml version that by default uses SafeConstructor.

So we need to manually check each SnakeYaml use.

These are vulnerable:

new Yaml()

new Yaml(new org.yaml.snakeyaml.constructor.Constructor() [, ...])

These are not vulnerable:

new Yaml(new org.yaml.snakeyaml.constructor.SafeConstructor() [, ...])

new Yaml(new org.yaml.snakeyaml.constructor.SafeConstructor(new LoaderOptions()) [, ...])

If a different Constructor is passed as first parameter you need to check it manually.

Searching for "new yaml" in folio-org:

https://github.com/search?q=org%3Afolio-org+%22new+yaml%22&type=code

Use of SnakeYaml in dependencies:

• vertx-conf/vertx-conf-yaml has been fixed since Vert.x 4.3.4
• vertx-web has been fixed since Vert.x 4.3.4
• Spring Framework has been fixed since spring-framework 5.3.4
• Spring Boot has been fixed since spring boot 2.1.15.RELEASE
• Swagger-parser is not affected because it uses SafeConstructor: https://github.com/swagger-api/swagger-core/issues/4323#issuecomment-1351815336
• Testcontainers is vulnerable when ParsedDockerComposeFile is used with dynamic input.
• Liquibase is vulnerable when the Liquibase Hub Service (= fetching yaml file from external server) is used (StandardHubService.java and HttpClient.java), all other SnakeYaml usages are safe because they use SafeConstructor or only do serialization (not deserialization): "new yaml" search
• Karate has always been safe: JsonUtils.java
• Micronaut is not affected because it uses SafeConstructor: https://github.com/micronaut-projects/micronaut-core/blob/3.8.x/src/main/docs/guide/appendix/breaks.adoc#387

If SnakeYaml is only used to parse a hard-coded yaml file like a configuration file from the git repository then there is no exploit.

If Snyk reports about "org.yaml:snakeyaml - Arbitrary Code Execution - CVE-2022-1471" investigate as explained above. Set report to "Ignore" if the FOLIO code is not vulnerable.